skip to Main Content

Cybercrime, AstraLocker 2.0 ransomware version passes via Office files

AstraLocker 2.0 ransomware version passes via Office files. Reversing Labs cybersecurity experts: Who opened the malicious Word attachment is required to make multiple, additional clicks to activate the embedded malware

AstraLocker ransomware (AstraLocker 2.0) has a new version that is being distributed directly from Microsoft Office files, used as bait in phishing attacks. This has been discovered by Reversing Labs cybersecurity experts. The samples we uncovered were hidden within Microsoft Word documents. Executing the malware took some doing: recipients who opened the malicious Word attachment were required to make multiple, additional clicks to activate the embedded ransomware. That’s because the payload is stored in an OLE object; the lure only activates the ransomware if the user double clicks the icon in the document and consents to running an embedded executable named “WordDocumentDOC.exe:”  In addition, the samples used an outdated packer, the SafeEngine Shielden v2.4.0.0 protector, making them difficult to reverse engineer. The malware also employs evasion tactics, checking whether the host is a virtual machine.

Back To Top